Many organizations will be familiar with the Verizon Data Breach Investigations Report, (DBIR) that is issued each year. A reoccurring theme within the report each year is to record the average amount of time it takes an organization to identify an attack, (or data breach) from the initial point that the intruder gained access to the network. This is often referred to as the dwell time.
The initial time that it takes to compromise an asset is usually managed in seconds. For spear phishing, this effectively suggests that a user will either decide to click or not click a link in an e-mail within a few seconds of reading it.
The amount of time it typically takes for data to be exfiltrated after an initial incident is measured in days. This means that after the initial compromise, an attacker will be resident within the network for a number of days before attempting to exfiltrate data.